lidio601/openssl_cmd.sh

## openssl_cmd.sh
SERVER="webserver.dns.domain.name"

# setup the working directory
mkdir -vp ./public
mkdir -vp ./private

# #########
# custom CA
# #########

# generate the custom CA private key
openssl genrsa -des3 -out private/cacert.key 1024

# generate the custom CA certificate request
openssl req -new -key private/cacert.key -out private/cacert.csr

# generate the custom CA certificate
# "-config ./openssl.cnf" optional
openssl x509 -extensions v3_ca -days 3650 -signkey private/cacert.key -in private/cacert.csr -req -out public/cacert.crt

# ##########
# SSL server
# ##########

# create the CSR and the private key for the SSL server (maybe the Apache web server?)
# "-config ./openssl.cnf" optional
openssl req -x509 -days 3650 -new -nodes -keyout private/$SERVER.key -out public/$SERVER.csr

# custom CA certificate sign
# "-config ./openssl.cnf" optional
openssl x509 -days 3650 -CA public/cacert.crt -CAkey private/cacert.key -set_serial 01 -in private/$SERVER.csr -req -out public/$SERVER.crt
#openssl ca -policy policy_anything -CAfile private/cacert.crt -out private/$SERVER.crt -infiles private/$SERVER.csr -days 365
#openssl ca -policy policy_anything -out newcert.pem -infiles newreq.pem

# ###########
# maintenance
# ###########

# fix the private key file permission
chown -Rfv root:root private
chmod -Rfv 0400 private
chown -Rfv root:apache private/$SERVER.key
chmod -Rfv 0440 private/$SERVER.key
chown -Rfv root:apache public
chmod -Rfv 0644 public

# see http://alessice.wordpress.com/2008/10/28/come-si-genera-un-csr-certificate-signing-request/
# see http://www.g-loaded.eu/2005/11/10/be-your-own-ca/
# see http://forum.synology.com/wiki/index.php/How_to_generate_custom_SSL_certificates

# ##################
# certificate verify
# ##################

openssl x509 -in public/$SERVER.crt -noout -text

openssl x509 -subject -issuer -enddate -noout -in public/$SERVER.crt

openssl verify -purpose sslserver -CAfile public/cacert.crt public/$SERVER.crt
	SERVER="webserver.dns.domain.name"

	# setup the working directory
	mkdir -vp ./public
	mkdir -vp ./private

	# #########
	# custom CA
	# #########

	# generate the custom CA private key
	openssl genrsa -des3 -out private/cacert.key 1024

	# generate the custom CA certificate request
	openssl req -new -key private/cacert.key -out private/cacert.csr

	# generate the custom CA certificate
	# "-config ./openssl.cnf" optional
	openssl x509 -extensions v3_ca -days 3650 -signkey private/cacert.key -in private/cacert.csr -req -out public/cacert.crt

	# ##########
	# SSL server
	# ##########

	# create the CSR and the private key for the SSL server (maybe the Apache web server?)
	# "-config ./openssl.cnf" optional
	openssl req -x509 -days 3650 -new -nodes -keyout private/$SERVER.key -out public/$SERVER.csr

	# custom CA certificate sign
	# "-config ./openssl.cnf" optional
	openssl x509 -days 3650 -CA public/cacert.crt -CAkey private/cacert.key -set_serial 01 -in private/$SERVER.csr -req -out public/$SERVER.crt
	#openssl ca -policy policy_anything -CAfile private/cacert.crt -out private/$SERVER.crt -infiles private/$SERVER.csr -days 365
	#openssl ca -policy policy_anything -out newcert.pem -infiles newreq.pem

	# ###########
	# maintenance
	# ###########

	# fix the private key file permission
	chown -Rfv root:root private
	chmod -Rfv 0400 private
	chown -Rfv root:apache private/$SERVER.key
	chmod -Rfv 0440 private/$SERVER.key
	chown -Rfv root:apache public
	chmod -Rfv 0644 public

	# see http://alessice.wordpress.com/2008/10/28/come-si-genera-un-csr-certificate-signing-request/
	# see http://www.g-loaded.eu/2005/11/10/be-your-own-ca/
	# see http://forum.synology.com/wiki/index.php/How_to_generate_custom_SSL_certificates

	# ##################
	# certificate verify
	# ##################

	openssl x509 -in public/$SERVER.crt -noout -text

	openssl x509 -subject -issuer -enddate -noout -in public/$SERVER.crt

	openssl verify -purpose sslserver -CAfile public/cacert.crt public/$SERVER.crt